CoinJoin Alternatives to Wasabi

[witcher_sense]

With Samourai, you can avoid this by running your own Dojo server. I'm not sure yet how it works with Sparrow. witcher_sense has said above that you can point Sparrow to your own Bitcoin Core instance, but I'm still not sure how it then communicates with the coinjoin coordinator and if it does so privately. If I had a real need to use Sparrow then I would look in to all of this, but at the moment I don't so I haven't bothered.

To retrieve UTXO information, you connect Sparrow Wallet directly to your bitcoin full node. No privacy leak here, except that all addresses of your hot wallet are stored in plain text on your computer. Unless malicious Samourai devs get access to your computer, they aren't going to determine which addresses are yours. But what about Whirlpool itself? Don't we need to share some information with a CoinJoin coordinator, which is known to be run by Samourai devs? Yes, we still need to give them inputs and outputs because this is how CoinJoin works. How much information can they collect about us? Actually, not so much. Like in the case of Wasabi wallet, they can learn that certain inputs belong to the same Tor-identity, that is, the same user. They still can't learn your IP address, and they still can't map inputs and outputs.

Craig Raw, founder of Sparrow Wallet:

If you start to CoinJoin, all of the UTXO information is coming from the same source that it always did. Nothing goes to Samourai’s servers. The only UTXO information you send is to the coordinator, and that’s done according to the ZeroLink protocol, which basically ensures that your identity changes in the middle of the mix. In other words, the coordinator doesn’t know the identity of the client for the final mix transaction that goes out because the identity will actually change via Tor. We created a new Tor circuit in the middle of the mix to ensure that there’s a break in the way that the coordinator can see things. And that’s been well-researched and well understood. That’s a very important part of things is to ensure that the privacy of your UTXOs remains the same.

[tomt1664]

The thing about Mercury is that it doesn't obfuscate the history of the coins you receive, but rather swaps your history for someone else's history, and leaves no traces on the blockchain that this has happened.

Now that makes sense.  This is both good and bad.  As witcher said, it would help to make Bitcoin's transparency a less reiable source of information.  Ideally.  But realistically, if I swap my 'clean' history for a 'tainted' one, I may now be falling under other kind of trouble I would not have previously expected.  Just imagine you used Mercury and all of the sudden you own the coin of which history is a large hack like Bitfinex.  Now that is a BIG red flag on your back you have to get rid of.  To me, Coin Joining and Mixing is definitely superior.  While swapping history helps turning transparency into a less reliable source of information, Mixing and Coin Joining does much more than that.

With any type of coinswap (mercury included), the users themselves will always have proof they they have been involved in a swap - which can be selectively revealed in order to deny ownership of the history - e.g. to law enforcement. The problem is that as the technique is under the radar and not well used, the 'transaction graph heuristic' is still used by chainanalysis, and people want to avoid suspicion attached to any coin history not theirs.

But in the current mercury, withdrawal transactions are actually identifiable as mercury withdrawals on-chain (due to the withdrawal fee output). Therefore the anonymity set (on-chain) is all mercury withdrawals of a specific amount. Off-chain, the mercury server will know which coins have been swapped, but will not be able to link the transfer of ownership within swaps due to the blinded zero-link style swap protocol.

This blog explains some of this in more detail: https://blog.commerceblock.com/bitcoin-privacy-and-tainting-coinjoins-and-coinswaps-meet-statechains-b0d6c1146a24

[o_e_l_e_o]

-snip-

Thanks. If all that is accurate, then it does indeed look good, and maybe comparable to running Samourai with your own Dojo server. I would still want to verify all that myself before I used it though.

But in the current mercury, withdrawal transactions are actually identifiable as mercury withdrawals on-chain (due to the withdrawal fee output).

I remember we discussed this before. What exactly is the fee that you charge? Can you link to a few examples of Mercury withdrawal transactions so we can see what exactly they look like?

[Pmalek]

If every transaction in the blockchain is broadly known to be the result of a swap, it will be harder for a potential observer to find out who owns what, and who makes transactions with whom. If a robber is not sure you really have those coins, he is unlikely to make you a target.

That would require a serious attitude change of the entire Bitcoin userbase and I am sure that is never going to happen. But even if it does at one point in the future, I don't see robbers going that deep into research to consider if their potential victim has or doesn't have the coins that their history shows they should possess.   

[ABCbits]

If every transaction in the blockchain is broadly known to be the result of a swap, it will be harder for a potential observer to find out who owns what, and who makes transactions with whom. If a robber is not sure you really have those coins, he is unlikely to make you a target.

That would require a serious attitude change of the entire Bitcoin userbase and I am sure that is never going to happen.

The protocol (PayJoin[1]) already exist though. If more merchant use it as default option and more wallet support it[2], i expect some users will use it and some of them might not even realize their transaction use PayJoin.

But even if it does at one point in the future, I don't see robbers going that deep into research to consider if their potential victim has or doesn't have the coins that their history shows they should possess.   

I agree, it's more likely the robber use another means to obtain reliable information or simply seek more vulnerable target.

[1] https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki
[2] https://en.bitcoin.it/wiki/PayJoin_adoption#Software_Wallets

[tomt1664]

I remember we discussed this before. What exactly is the fee that you charge? Can you link to a few examples of Mercury withdrawal transactions so we can see what exactly they look like?

The withdrawal fee is currently 0.5% of the coin value - this is the only fee - unlimited (within the timelock constraint) swaps are free.

This is an example of a deposit tx:
https://blockstream.info/tx/ce0d2e4ff5d20deea6d1972903baab2d1e5cd38afec14dd2d3e78a85d24b79c0

and the corresponding withdrawal tx:
https://blockstream.info/tx/e227f4b110494fff5ce76e413ee620d96041c0f4d082d7faaab1b50bad813fb2

The fee address is currently fixed, so it is trivial to find all withdrawals:
https://blockstream.info/address/bc1q0gx4c3jg4lfckd05t0l7e3w4m3prhkspzh0dqd

We are working on a new feature where the fee can be paid upfront before deposit, either via a LN payment or separate bitcoin tx, enabling users to have no on-chain link to mercury.

[PrimeNumber7]

It is possible to trace CJ transactions and has been for quite some time.

That might be true, but there is no denying that Wasabi coinjoins will be under much greater scrutiny than other coinjoins, since Wasabi are actively paying a blockchain analysis company to monitor their coinjoins and tell them if they have to censor any specific inputs.

Are you sure they are giving a list of inputs to a blockchain analysis company, as opposed to getting a list of addresses/inputs that should be blacklisted that they can compare proposed inputs to?

Even if it is the former, it would be unusual for a company to use data from their paying customers for other commercial purposes.

The broad use of such tools as Mercury wallet or coin swap may help to make blockchain's transparency a less reliable source of information for undesirable observers.

I completely agree, and I've said as much before - if everyone just started mixing their coins as their standard practice, then the concept of taint would disappear overnight and bitcoin would be completely fungible. Every centralized service would either have to accept any and all bitcoin, or go bankrupt. Bitcoin would be completely fungible, no one would end up with accounts being locked for arbitrary reasons, blockchain analysis companies would be useless, everyone would regain so much lost privacy, and the whole ecosystem would be far better off for it.

Not necessarily. With the exception of CM, researchers have been able to trace inputs to outputs from all major mixers, and have published their results. CM uses countermeasures that would prevent inputs from being linked to outputs using methods described in public research, however, in theory, the inputs may be linked to outputs (assuming of course CM is not actively keeping track of inputs/outputs pairs and/or is some kind of honeypot).

[o_e_l_e_o]

We are working on a new feature where the fee can be paid upfront before deposit, either via a LN payment or separate bitcoin tx, enabling users to have no on-chain link to mercury.

Interesting indeed. So users will have the option to either hide the fact they are using Mercury if they don't want someone knowing that their coins haves been mixed/swapped, but can also make it obvious they have used Mercury if they don't want to be linked to the other user's history. Cool feature. I'll definitely check it out again sometime.

Are you sure they are giving a list of inputs to a blockchain analysis company, as opposed to getting a list of addresses/inputs that should be blacklisted that they can compare proposed inputs to?

No idea, and given how shady Wasabi have been about this whole thing, don't expect them to be honest and tell us. Any "privacy" firm coordinating with blockchain analysis firms is not to be trusted though, and especially not one which is actively using your coinjoin fees to pay blockchain analysis firms.

Even if it is the former, it would be unusual for a company to use data from their paying customers for other commercial purposes.

Lol what? Not sure if I've misunderstood you here or you are being incredibly naive? Pretty much every big business is monetizing your data, from Coinbase to Coinmarketcap, from Facebook to Google, from your health insurance provider to your streaming content provider.

[PrimeNumber7]

Even if it is the former, it would be unusual for a company to use data from their paying customers for other commercial purposes.

Lol what? Not sure if I've misunderstood you here or you are being incredibly naive? Pretty much every big business is monetizing your data, from Coinbase to Coinmarketcap, from Facebook to Google, from your health insurance provider to your streaming content provider.

Not many people pay to use CMC, Facebook, nor Google. I am not sure how you think health insurance companies or Netflex are monetizing customer data.

Netflix makes suggestions based on your viewing history, in part in an effort to get you to use their platform more, but that is hardly "monetizing" data. I am sure that health insurance companies use analytics to try to improve health outcomes, detect fraud, and find efficiencies.

[o_e_l_e_o]

I am not sure how you think health insurance companies or Netflex are monetizing customer data.

Data brokers pay good money for such data, which they can then sell on to anyone who is interested. And there are literally hundreds of data brokers out there, all collecting as much information about you as they can get their hands on. Every single data point, from your medical diagnoses to the movies you like to watch, adds to your profile and increase both the number of interested customers these data brokers have and the price they can charge those customers.

https://www.linkedin.com/pulse/data-brokers-pay-your-healthcare-information-shannon-block-cfe
https://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-records/